List of data types

This page lists the data types used to define the syntax of the search language. Learn more about the commands used in these examples by referring to the Command quick reference.

after-opt

Syntax: timeafter=<int>(s|m|h|d)?

Description: the amount of time to add to endtime (ie expand the time region forward in time)

anovalue-action-option

Syntax: action=(annotate|filter|summary)

Description: If action is ANNOTATE, a new field is added to the event containing the anomalous value that indicates the anomaly score of the value If action is FILTER, events with anomalous value(s) are isolated. If action is SUMMARY, a table summarizing the anomaly statistics for each field is generated.

anovalue-pthresh-option

Syntax: pthresh=<num>

Description: Probability threshold (as a decimal) that has to be met for a value to be deemed anomalous

associate-improv-option

Syntax: improv=<num>

Description: Minimum entropy improvement for target key. That is, entropy(target key) - entropy(target key given reference key/value) must be greater than or equal to this.

collect-arg

collect-file

Syntax: file=<string>

Description: name of the file where to write the events to. Optional, default "<random-num>_events.stash" The following placeholders can be used in the file name $timestamp$, $random$ and will be replaced with a timestamp, a random number respectively

collect-index

Syntax: index=<string>

Description: name of the index where splunk should add the events to. Note: the index must exist for events to be added to it, the index is NOT created automatically.

collect-marker

Syntax: marker=<string>

Description: a string, usually of key-value pairs, to append to each event written out. Optional, default ""

collect-spool

Syntax: spool=<bool>

Description: If set to true (default is true), the summary indexing file will be written to Splunk's spool directory, where it will be indexed automatically. If set to false, file will be written to $SPLUNK_HOME/var/run/splunk.

collect-testmode

Syntax: testmode=<bool>

Description: toggle between testing and real mode. In testing mode the results are not written into the new index but the search results are modified to appear as they would if sent to the index. (defaults to false)

comparison-expression

connected-opt

Syntax: connected=<bool>

Description: Relevant iff fields is not empty. Controls whether an event that is not inconsistent and not consistent with the fields of a transaction, opens a new transaction (connected=t) or is added to the transaction. An event can be not inconsistent and not consistent if it contains fields required by the transaction but none of these fields has been instantiated in the transaction (by a previous event addition).

contingency-maxopts

Syntax: (maxrows|maxcols)=<int>

Description: Maximum number of rows or columns. If the number of distinct values of the field exceeds this maximum, the least common values will be ignored. A value of 0 means unlimited rows or columns.

contingency-mincover

Syntax: (mincolcover|minrowcover)=<num>

Description: Cover only this percentage of values for the row or column field. If the number of entries needed to cover the required percentage of values exceeds maxrows or maxcols, maxrows or maxcols takes precedence.

contingency-totalstr

contingency-usetotal

Syntax: usetotal=<bool>

Description: Add row and column totals

convert-auto

Syntax: auto("(" (<wc-field>)? ")")?

Description: Automatically convert the field(s) to a number using the best conversion. Note that if not all values of a particular field can be converted using a known conversion type, the field is left untouched and no conversion at all in done for that field.

Example: ... | convert auto(*delay) as *delay_secs

Example: ... | convert auto(*) as *_num

Example: ... | convert auto(delay) auto(xdelay)

Example: ... | convert auto(delay) as delay_secs

Example: ... | convert auto

Example: ... | convert auto()

Example: ... | convert auto(*)

convert-ctime

Syntax: ctime"("<wc-field>?")"

Description: Convert an epoch time to an ascii human readable time. Use timeformat option to specify exact format to convert to.

convert-rmcomma

convert-rmunit

Description: Looks for numbers at the beginning of the value and removes trailing text.

Example: ... | convert rmunit(duration)

copyresults-dest-option

Syntax: dest=<string>

Description: The destination file where to copy the results to. The string is interpreted as path relative to SPLUNK_HOME and (1) should point to a .csv file and (2) the file should be located either in etc/system/lookups/ or etc/apps/<app-name>/lookups/

copyresults-sid-option

Syntax: sid=<string>

Description: The search id of the job whose results are to be copied. Note, the user who is running this command should have permission to the job pointed by this id.

correlate-type

Syntax: type=cocur

Description: Type of correlation to calculate. Only available option currently is the co-occurrence matrix, which contains the percentage of times that two fields exist in the same events.

count-opt

Syntax: count=<int>

Description: The maximum number of results to return

Example: count=10

crawl-option

Syntax: <string>=<string>

Description: Override settings from crawl.conf.

Example: root=/home/bob

daysago

Syntax: daysago=<int>

Description: Search the last N days. ( equivalent to startdaysago )

debug-method

Syntax: optimize|roll|logchange|validate|delete|sync|sleep|rescan

Description: The available commands for debug command

dedup-consecutive

Syntax: consecutive=<bool>

Description: Only eliminate events that are consecutive

dedup-keepempty

Syntax: keepempty=<bool>

Description: If an event contains a null value for one or more of the specified fields, the event is either retained (if keepempty=true) or discarded

dedup-keepevents

Syntax: keepevents=<bool>

Description: Keep all events, remove specific values instead

default

Syntax: No syntax

Description: None

delim-opt

Syntax: delim=<string>

Description: A string used to delimit the original event values in the transaction event fields.

eval-expression

Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. The following are the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. For addition, Splunk can concatenate the two operands if they are both strings. When concatenating values with '.', Splunk treats both values as strings regardless of their actual type.

extract-opt

Description: Extraction options. "segment" specifies whether to note the locations of key/value pairs with the results (internal, false). "auto" specifies whether to perform automatic '=' based extraction (true). "reload" specifies whether to force reloading of props.conf and transforms.conf (false). "limit" specifies how many automatic key/value pairs to extract (50). "kvdelim" string specifying a list of character delimiters that separate the key from the value "pairdelim" string specifying a list of character delimiters that separate the key-value pairs from each other "maxchars" specifies how many characters to look into the event (10240). "mv_add" whether to create multivalued fields. Overrides MV_ADD from transforms.conf "clean_keys" whether to clean keys. Overrides CLEAN_KEYS from transforms.conf

Example: reload=true

Example: auto=false

extractor-name

Syntax: <string>

Description: A stanza that can be found in transforms.conf

Example: access-extractions

fields-opt

Syntax: fields=<string>? (,<string>)*

Description: DEPRECATED: The preferred usage of transaction is for list of fields to be specified directly as arguments. E.g. 'transaction foo bar' rather than 'transaction fields="foo,bar"' The 'fields' constraint takes a list of fields. For search results to be members of a transaction, for each field specified, if they have a value, it must have the same value as other members in that transaction. For example, a search result that has host=mylaptop can never be in the same transaction as a search result that has host=myserver, if host is one of the constraints. A search result that does not have a host value, however, can be in a transaction with another search result that has host=mylaptop, because they are not inconsistent.

Example: fields=host,cookie

grouping-field

Syntax: <field>

Description: By default, the typelearner initially groups events by the value of the grouping-field, and then further unifies and merges those groups, based on the keywords they contain. The default grouping field is "punct" (the punctuation seen in _raw).

Example: host

grouping-maxlen

Syntax: maxlen=<int>

Description: determines how many characters in the grouping-field value to look at. If set to negative, the entire value of the grouping-field value is used to initially group events

Example: maxlen=30

host-specifier

Syntax: host=<string>

Description: Search for events from the specified host

hosttag-specifier

Syntax: hosttag=<string>

Description: Search for events that have hosts that are tagged by the string

input-option

join-options

Description: Options to the join command. usetime indicates whether to limit matches to sub results that are earlier or later (depending on the 'earlier' option which is only valid when usetime=true) than the main result to join with, default = false. 'overwrite' indicates if fields from the sub results should overwrite those from the main result if they have the same field name (default = true). max indicates the maximum number of sub results each main result can join with. (default = 1, 0 means no limit).

Example: max=3

Example: usetime=t earlier=f

Example: overwrite=f

Example: usetime=t

keepevicted-opt

Syntax: keepevicted=<bool>

Description: Whether to output evicted transactions. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'evicted' field, which is set to '1' for evicted transactions

key-list

Syntax: (<string> )*

Description: a list of keys that are ANDed to provide a filter for surrounding command

kmeans-cnumfield

Syntax: cfield=<field>

Description: Controls the field name for the cluster number for each event

kmeans-distype

Syntax: dt=(l1norm|l2norm|cityblock|sqeuclidean|cosine)

Description: Distance metric to use (L1/L1NORM equivalent to CITYBLOCK). L2NORM equivalent to SQEUCLIDEAN

kmeans-iters

Syntax: maxiters=<int>

Description: Maximum number of iterations allowed before failing to converge

kmeans-k

Syntax: k=<int>(-<int>)?

Description: Number of initial clusters to use. Can be a range, in which case each value in the range will be used once and summary data given.

kmeans-options

kmeans-reps

Description: Number of times to repeat kmeans using random starting clusters

kmeans-showlabel

Syntax: showlabel=<bool>

Description: Controls whether or not the cluster number is added to the data.

kmeans-tol

Syntax: tol=<num>

Description: Algorithm convergence tolerance

lit-value

Syntax: <string>|<num>

Description: None

lmaxpause-opt

Syntax: maxpause=<int>(s|m|h|d)?

Description: the maximum (inclusive) time between two consecutive events in a contiguous time region

log-span

Syntax: (<num>)?log(<num>)?

Description: Sets to log based span, first number if coefficient, second number is base coefficient, if supplied, must be real number >= 1.0 and < base base, if supplied, must be real number > 1.0 (strictly greater than 1)

multikv-option

multikv-rmorig

Syntax: rmorig=<bool>

Description: Controls the removal of original events from the result set (default=true)

mvlist-opt

Syntax: mvlist=<bool>|<field-list>

Description: Flag controlling whether the multivalued fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists

outlier-action-opt

Syntax: action=(remove|transform)

Description: What to do with outliers. RM | REMOVE removes the event containing the outlying numerical value. TF | TRANSFORM truncates the outlying value to the threshold for outliers and prefixes the value with "000"

searchoption

searchtimespandays

Syntax: searchtimespandays=<int>

Description: None

searchtimespanhours

Syntax: searchtimespanhours=<int>

Description: The time span operators are always applied from the last time boundary set. Therefore, if an endtime operator is closest to the left of a timespan operator, it will be applied to the starttime. If you had 'enddaysago::1 searchtimespanhours::5', it would be equivalent to 'starthoursago::29 enddaysago::1'.

searchtimespanminutes

Syntax: searchtimespanminutes=<int>

Description: None

searchtimespanmonths

Syntax: searchtimespanmonths=<int>

Description: None

select-arg

Syntax: <string>

Description: Any value sql select arguments, per the syntax found at http://www.sqlite.org/lang_select.html. If no "from results" is specified in the select-arg it will be inserted it automatically. Runs a SQL Select query against passed in search results. All fields referenced in the select statement must be prefixed with an underscore. Therefore, "ip" should be references as "_ip" and "_raw" should be referenced as "__raw". Before the select command is executed, the previous search results are put into a temporary database table called "results". If a row has no values, "select" ignores it to prevent blank search results.

selfjoin-options

Syntax: overwrite=<bool> | max=<int> | keepsingle=<int>

Description: The selfjoin joins each result with other results that have the same value for the join fields. 'overwrite' controls if fields from these 'other' results should overwrite fields of the result used as the basis for the join (default=true). max indicates the maximum number of 'other' results each main result can join with. (default = 1, 0 means no limit). 'keepsingle' controls whether or not results with a unique value for the join fields (and thus no other results to join with) should be retained. (default = false)

Example: max=3

Example: keepsingle=t

Example: overwrite=f

server-list

Syntax: (<string> )*

Description: A list of possibly wildcarded servers changes in the context of the differences. Try it see if it makes sense. * - header=[true | false] : optionally you can show a header that tries to explain the diff output * - attribute=[attribute name] : you can choose to diff just a single attribute of the results.

sid-opt

Syntax: <string>

Description: The search id of the job whose artifacts need to be loaded.

Example: 1233886270.2

single-agg

Description: A single aggregation applied to a single field (can be evaled field). No wildcards are allowed. The field must be specified, except when using the special 'count' aggregator that applies to events as a whole.

Example: avg(delay)

Example: sum({date_hour * date_minute})

Example: count

slc-option

Description: Options for configuring the simple log clusters. "T=" sets the threshold which must be > 0.0 and < 1.0. The closer the threshold is to 1, the more similar events have to be in order to be considered in the same cluster. Default is 0.8 "delims" configures the set of delimiters used to tokenize the raw string. By default everything except 0-9, A-Z, a-z, and '_' are delimiters. "showcount" if yes, this shows the size of each cluster (default = true unless labelonly is set to true) "countfield" name of field to write cluster size to, default = "cluster_count" "labelfield" name of field to write cluster number to, default = "cluster_label" "field" name of field to analyze, default = _raw "labelonly" if true, instead of reducing each cluster to a single event, keeps all original events and merely labels with them their cluster number "match" determines the similarity method used, defaulting to termlist. termlist requires the exact same ordering of terms, termset allows for an unordered set of terms, and ngramset compares sets of trigram (3-character substrings). ngramset is significantly slower on large field values and is most useful for short non-textual fields, like 'punct'

sort-by-clause

Description: List of fields to sort by and their sort order (ascending or descending)

Example: - time, host

Example: -size, +source

Example: _time, -host

sort-field

Syntax: <field> | ((auto|str|ip|num) "(" <field> ")")

Description: a sort field may be a field or a sort-type and field. sort-type can be "ip" to interpret the field's values as ip addresses. "num" to treat them as numbers, "str" to order lexigraphically, and "auto" to make the determination automatically. If no type is specified, it is assumed to be "auto"

starttimeu

stats-agg

Description: A specifier formed by a aggregation function applied to a field or set of fields. As of 4.0, it can also be an aggregation function applied to a arbitrary eval expression. The eval expression must be wrapped by "{" and "}". If no field is specified in the parenthesis, the aggregation is applied independently to all fields, and is equivalent to calling a field value of * When a numeric aggregator is applied to a not-completely-numeric field no column is generated for that aggregation.

tc-option

Description: Options for controlling the behavior of splitting by a field. In addition to the bucketing-option: usenull controls whether or not a series is created for events that do not contain the split-by field. This series is labeled by the value of the nullstr option, and defaults to NULL. useother specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>. This series is labeled by the value of the otherstr option, and defaults to OTHER.

top-opt

Description: Top arguments: showcount: Whether to create a field called "count" (see countfield option) with the count of that tuple. (T) showperc: Whether to create a field called "percent" (see percentfield option) with the relative prevalence of that tuple. (T) rare: When set and calling as top or common, evokes the behavior of calling as rare. (F) limit: Specifies how many tuples to return, 0 returns all values. (10) countfield: Name of new field to write count to (default is "count") percentfield: Name of new field to write percentage to (default is "percent")

transaction-name

Syntax: <string>

Description: The name of a transaction definition from transactions.conf to be used for finding transactions. If other arguments (e.g., maxspan) are provided as arguments to transam, they overrule the value specified in the transaction definition.

Example: purchase_transaction

transam-filter-string

Description: Where: \i\ <search-expression> is a valid search expression that does not contain quotes\i\ <quoted-search-expression> is a valid search expression that contains quotes\i\ <eval-expression> is a valid eval expression that evaluates to a boolean

Example: eval(distance/time < max_speed)

Example: "user=mildred"

Example: ("search literal")

Example: (name="foo bar")

trend_type

Syntax: (sma|ema|wma)<num>

Description: The type of trend to compute which consist of a trend type and trend period (integer between 2 and 10000)

Example: sma10

ts-day

Syntax: days

Description: Time scale in days.

ts-hr

Syntax: hours

Description: Time scale in hours.

ts-min

Syntax: minutes

Description: Time scale in minutes.

ts-month

Syntax: months

Description: Time scale in months.

ts-sec

Syntax: seconds

Description: Time scale in seconds.

ts-subseconds

Syntax: us|ms|cs|ds

Description: Time scale in microseconds("us"), milliseconds("ms"), centiseconds("cs"), or deciseconds("ds")

value

where-clause

Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. This optional clause, if omitted, default to "where sum in top10". The aggregation term is applied to each data series and the result of these aggregations is compared to the criteria. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.

Comments

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »